Hello, me again here!

Today I have finished my new PowerShell PKI module. Even if my first release was one month ago, it was reasonable for me to evaluate it and finalize certain things. This is because several commands was published in a test mode.

During my own usage I've noticed that several commands don't provide consistency and required level of usability. For example, there is a command named Get-CertificateTemplate. This command returns registered in AD certificate templates. In a previous release there was only one way to filter them by display name. My thought was that administrators remember display names rather common names. Also there are similar Add/Remove-CATemplate commands. They are used to add/remove certificate template from CA issued template list. In order to add a new template the only option was to specify template common name. This is because default ICertAdmin2 interface uses common names for that. Now Templates property contains common objects and Add/Remove-CATemplate commands are improved to handle either display name, common name or an object returned by Get-CertificateTemplate. Here is an example:

Update 28.05.2012: it appears that the same issue occurs with Remote Desktop Protocol too. Here is a fix for RDP: An RDP connection that uses SSL authentication and CredSSP protocol fails in Windows 7, in Windows Server 2008 R2, in Windows Vista and in Windows Server 2008

This is very interesting story of one customer (not my) and Thawte. It is common that you purchase SSL certificate from some of trusted commercial certification authority (CA) for public access. This reduces administrative effort on custom root CA (for example, your company own internal CA) installation on unmanaged computers (your company user's home computers). Or in partner organization. Also your company may not have own CA services and the only way to provide secure access to your web sites is to use certificates from commercial CAs.

Time by time this happens. Even highly trusted commercial certification authorities issue fraudulent certificates to malicious users. In 31 January 2001 (more than 10 years ago) VeriSign issued two fraudulent certificates to Microsoft on behalf of unknown men. This is very strange for a company who sell digital certificates starting with $100+ and cannot perform requestor identification as documented in their CPSs.

Ok this was ten years ago. But about 2 weeks ago Comodo CAs was compromised ( http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/ ). If VeriSign issued only two fraudulent certificates, Comodo — 9!!!!1111oneone. And to what names: login.live.com, login.yahoo.com, www.google.com, mail.google.com, login.skype.com and so on. All of them are SSL certificates. And not usual SSL certificates, but Extended Validation (EV) certificates!

Hello again! Sorry for issues accessing my blog, there was some problems with hosting provider. Now all is fixed (I believe it).

Probably you don't know (but is known for my Russian's blog readers) but I spent a lot of time to automate certain common PKI tasks with Windows PowerShell, the best automation tool. I've started this project about 2 years ago. Since that time I've deeply dived to PKI with some good experience in PowerShell (I already was PS MVP). And this blog contains several PKI automation examples that are included in my new project (and will be included in future). The most reasonable thing why I had started this project was certutil. Even if this is very powerful tool, but not optimized for scripting and automation scenarios. This is because it is necessary to parse complex command's output. Also certutil lacks in command help. Command switches are not user-friendly and mostly don't provide extended help information and usage examples. The biggest PowerShell advantage is pipeline. This allows you to collect certain data, modify it as necessary and pass to another command with a single line. For example, you have implemented OCSP responder for your Enterprise CAs and need to configure them to include OCSP URL to issued certificates AIA extension. There are 2 choices:

Update 15.03.2011: previous code sometime crashed due of StringBuilder buffer overflow. The code is updated to correctly size buffer.

I just wrote a little script that retrieves all CSPs (cryptographic service provider) that are registered on the system. It could be very useful when you are dealing with offline certificate requests via certreq.exe utility and other purposes. This script demonstrates some p/invoke techniques in Windows PowerShell. Code routine I got from corresponding CryptoAPI function MSDN pages: CryptEnumProviders and CryptEnumProviderTypes. Even though examples are in C++ it is not difficult to translate it to your .NET language (C#, PowerShell, etc). Here is a code: